MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Maldoc score: 5


Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash: d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f
SHA3-384 hash: 78c854098e18321740d724a939e7eb13f3083b58890123bfab7f6afb45346b279d529d527437512246c7897e7149f24b
SHA1 hash: 2fadfaef5179fe69bfecbd9adebd8f6a50615fa4
MD5 hash: 9b1ca0408e33c43970b87c4c380b134f
humanhash: jig-foxtrot-venus-november
File name:economic relations.doc
Download: download sample
File size:108'989 bytes
First seen:2021-08-02 12:50:29 UTC
Last seen:2021-08-30 13:37:45 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 768:lhfdrQHFZPSu14mEJc1icjEocMBf0Nxi/qNafupsP0ZzB5:45Aoc2uxwq/v5
TLSH T11FB3CC0FFABD9610E595C2311B92C9E31156BF11AB2496CAA1CF7F1AB03C53637292C7
Reporter JAMESWT_WT
Tags:apt doc KONNI

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 5
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 11 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
411936 bytes1Table
56150 bytesData
6449 bytesMacros/PROJECT
741 bytesMacros/PROJECTwm
81538 bytesMacros/VBA/ThisDocument
92483 bytesMacros/VBA/_VBA_PROJECT
10512 bytesMacros/VBA/dir
1168148 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
IOCy.jsExecutable file name
SuspiciousShellMay run an executable file or a system command
SuspiciousvbHideMay run an executable file or a system command

Intelligence


File Origin
# of uploads :
3
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
economic relations.doc
Verdict:
Malicious activity
Analysis date:
2021-07-29 23:41:09 UTC
Tags:
macros macros-on-open

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a file
Running batch commands
Sending a UDP request
Deleting a recently created file
Replacing files
Changing a file
Running batch commands by exploiting the app vulnerability
Deleting of the original file
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
96 / 100
Signature
Bypasses PowerShell execution policy
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: WScript or CScript Dropper
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457926 Sample: economic relations.doc Startdate: 02/08/2021 Architecture: WINDOWS Score: 96 83 Multi AV Scanner detection for domain / URL 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Obfuscated command line found 2->87 89 7 other signatures 2->89 10 WINWORD.EXE 50 42 2->10         started        13 iexplore.exe 1 76 2->13         started        process3 dnsIp4 99 Obfuscated command line found 10->99 16 cmd.exe 2 10->16         started        73 192.168.2.1 unknown unknown 13->73 19 iexplore.exe 3 49 13->19         started        signatures5 process6 dnsIp7 81 Obfuscated command line found 16->81 22 wscript.exe 3 16->22         started        25 cmd.exe 1 16->25         started        27 conhost.exe 16->27         started        29 findstr.exe 1 16->29         started        67 mc.yandex.ru 93.158.134.119, 443, 49729, 49730 YANDEXRU Russian Federation 19->67 69 minvr.gov.ru 31.173.55.235, 443, 49718, 49719 SONICDUO-ASRU Russian Federation 19->69 71 2 other IPs or domains 19->71 signatures8 process9 signatures10 93 Wscript starts Powershell (via cmd or directly) 22->93 95 Obfuscated command line found 22->95 97 Bypasses PowerShell execution policy 22->97 31 powershell.exe 39 22->31         started        35 cmd.exe 2 22->35         started        38 cmd.exe 2 22->38         started        40 wscript.exe 22->40         started        process11 dnsIp12 75 takemetoyouheart.c1.biz 185.176.43.106, 49731, 80 ZETTA-ASBG Bulgaria 31->75 77 taketodjnfnei898.ueuo.com 162.253.155.226, 49732, 80 REPRISE-HOSTINGUS United States 31->77 79 err.freewebhostingarea.com 72.9.150.244, 443, 49733 ASN-DISUS United States 31->79 63 C:\Users\user\AppData\...\ut5knzb0.cmdline, UTF-8 31->63 dropped 42 csc.exe 31->42         started        45 cmd.exe 31->45         started        47 conhost.exe 31->47         started        49 cmd.exe 31->49         started        91 Obfuscated command line found 35->91 51 conhost.exe 35->51         started        53 findstr.exe 1 35->53         started        55 conhost.exe 38->55         started        57 findstr.exe 1 38->57         started        file13 signatures14 process15 file16 65 C:\Users\user\AppData\Local\...\ut5knzb0.dll, PE32 42->65 dropped 59 cvtres.exe 42->59         started        61 expand.exe 45->61         started        process17
Threat name:
Document-Word.Dropper.SDrop
Status:
Malicious
First seen:
2021-07-30 01:02:19 UTC
File Type:
Document
Extracted files:
18
AV detection:
21 of 46 (45.65%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action xlm
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://takemetoyouheart.c1.biz/index.php?user_id=319
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_in_Word_Doc
Author:Florian Roth
Description:Detects a powershell and bypass keyword in a Word document
Reference:Internal Research - ME

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments